WARNING in free_task
6 views
Skip to first unread message
syzbot
Sep 22, 2019, 7:17:06 AM9/22/19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: d573e8a7 Linux 4.19.75
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1169da75600000
kernel config: https://syzkaller.appspot.com/x/.config?x=50b385e67c7b7cdf
dashboard link: https://syzkaller.appspot.com/bug?extid=d1f926abddddcacc53c1
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d1f926...@syzkaller.appspotmail.com
WARNING: CPU: 1 PID: 18585 at kernel/fork.c:408 free_task+0xf8/0x120
kernel/fork.c:408
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 18585 Comm: syz-executor.3 Not tainted 4.19.75 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
panic+0x263/0x507 kernel/panic.c:185
kobject: 'loop4' (00000000913b741e): kobject_uevent_env
kobject: 'loop4' (00000000913b741e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
__warn.cold+0x20/0x4a kernel/panic.c:540
report_bug+0x263/0x2b0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:178 [inline]
fixup_bug arch/x86/kernel/traps.c:173 [inline]
do_error_trap+0x204/0x360 arch/x86/kernel/traps.c:296
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:1037
RIP: 0010:free_task+0xf8/0x120 kernel/fork.c:408
Code: 48 8b 3d fb 36 3c 08 4c 89 e6 e8 d3 8c 63 00 5b 41 5c 41 5d 5d c3 e8
c7 32 2d 00 4c 89 e7 e8 2f 6f 09 00 eb d6 e8 b8 32 2d 00 <0f> 0b e9 6a ff
ff ff e8 0c c6 63 00 eb ab 4c 89 ef e8 02 c6 63 00
RSP: 0018:ffff8880ae907db0 EFLAGS: 00010206
RAX: ffff88809b4aa100 RBX: 0000000000000001 RCX: ffffffff813e2f31
RDX: 0000000000000100 RSI: ffffffff813e2fc8 RDI: 0000000000000005
kobject: 'loop4' (00000000913b741e): kobject_uevent_env
RBP: ffff8880ae907dc8 R08: ffff88809b4aa100 R09: ffffed100946e338
R10: ffffed100946e337 R11: ffff88804a3719bb R12: ffff88804a370680
R13: ffff88804a3719b8 R14: ffff888094f5eac8 R15: ffffffff813fa710
kobject: 'loop4' (00000000913b741e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
__put_task_struct+0x20f/0x4c0 kernel/fork.c:689
put_task_struct include/linux/sched/task.h:96 [inline]
delayed_put_task_struct+0x1fb/0x350 kernel/exit.c:181
__rcu_reclaim kernel/rcu/rcu.h:236 [inline]
rcu_do_batch kernel/rcu/tree.c:2584 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2864 [inline]
rcu_process_callbacks+0xba0/0x1a30 kernel/rcu/tree.c:2881
__do_softirq+0x25c/0x921 kernel/softirq.c:292
kobject: 'loop4' (00000000913b741e): kobject_uevent_env
do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1091
</IRQ>
do_softirq.part.0+0x11a/0x170 kernel/softirq.c:336
do_softirq kernel/softirq.c:328 [inline]
__local_bh_enable_ip+0x211/0x270 kernel/softirq.c:189
kobject: 'loop4' (00000000913b741e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
local_bh_enable include/linux/bottom_half.h:32 [inline]
get_next_corpse net/netfilter/nf_conntrack_core.c:1928 [inline]
nf_ct_iterate_cleanup+0x217/0x4e0 net/netfilter/nf_conntrack_core.c:1951
caif:caif_disconnect_client(): nothing to disconnect
nf_ct_iterate_cleanup_net net/netfilter/nf_conntrack_core.c:2036 [inline]
nf_ct_iterate_cleanup_net+0x133/0x190
net/netfilter/nf_conntrack_core.c:2021
masq_device_event+0xe2/0x120
net/ipv4/netfilter/nf_nat_masquerade_ipv4.c:100
notifier_call_chain+0xc2/0x230 kernel/notifier.c:93
__raw_notifier_call_chain kernel/notifier.c:394 [inline]
raw_notifier_call_chain+0x2e/0x40 kernel/notifier.c:401
call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1747
call_netdevice_notifiers net/core/dev.c:1765 [inline]
dev_close_many+0x33f/0x6f0 net/core/dev.c:1517
rollback_registered_many+0x33f/0xda0 net/core/dev.c:7982
kobject: 'loop4' (00000000913b741e): kobject_uevent_env
kobject: 'loop4' (00000000913b741e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
rollback_registered+0x109/0x1d0 net/core/dev.c:8047
unregister_netdevice_queue net/core/dev.c:9096 [inline]
unregister_netdevice_queue+0x1ee/0x2c0 net/core/dev.c:9089
unregister_netdevice include/linux/netdevice.h:2605 [inline]
__tun_detach+0xd8a/0x1040 drivers/net/tun.c:737
tun_detach drivers/net/tun.c:754 [inline]
tun_chr_close+0xe0/0x180 drivers/net/tun.c:3257
__fput+0x2dd/0x8b0 fs/file_table.c:278
____fput+0x16/0x20 fs/file_table.c:309
task_work_run+0x145/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x53d/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4136f1
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48
83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48
89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffcab058f70 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00000000004136f1
RDX: 0000001b30d20000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 0000000000000001 R08: 00000000dec7843d R09: 00000000dec78441
R10: 00007ffcab059050 R11: 0000000000000293 R12: 000000000075bfc8
R13: 00000000001dfbbd R14: 00000000007605d8 R15: 000000000075bfd4
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following crash on:
HEAD commit: d573e8a7 Linux 4.19.75
git tree: linux-4.19.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1169da75600000
kernel config: https://syzkaller.appspot.com/x/.config?x=50b385e67c7b7cdf
dashboard link: https://syzkaller.appspot.com/bug?extid=d1f926abddddcacc53c1
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+d1f926...@syzkaller.appspotmail.com
WARNING: CPU: 1 PID: 18585 at kernel/fork.c:408 free_task+0xf8/0x120
kernel/fork.c:408
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 18585 Comm: syz-executor.3 Not tainted 4.19.75 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
panic+0x263/0x507 kernel/panic.c:185
kobject: 'loop4' (00000000913b741e): kobject_uevent_env
kobject: 'loop4' (00000000913b741e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
__warn.cold+0x20/0x4a kernel/panic.c:540
report_bug+0x263/0x2b0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:178 [inline]
fixup_bug arch/x86/kernel/traps.c:173 [inline]
do_error_trap+0x204/0x360 arch/x86/kernel/traps.c:296
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:1037
RIP: 0010:free_task+0xf8/0x120 kernel/fork.c:408
Code: 48 8b 3d fb 36 3c 08 4c 89 e6 e8 d3 8c 63 00 5b 41 5c 41 5d 5d c3 e8
c7 32 2d 00 4c 89 e7 e8 2f 6f 09 00 eb d6 e8 b8 32 2d 00 <0f> 0b e9 6a ff
ff ff e8 0c c6 63 00 eb ab 4c 89 ef e8 02 c6 63 00
RSP: 0018:ffff8880ae907db0 EFLAGS: 00010206
RAX: ffff88809b4aa100 RBX: 0000000000000001 RCX: ffffffff813e2f31
RDX: 0000000000000100 RSI: ffffffff813e2fc8 RDI: 0000000000000005
kobject: 'loop4' (00000000913b741e): kobject_uevent_env
RBP: ffff8880ae907dc8 R08: ffff88809b4aa100 R09: ffffed100946e338
R10: ffffed100946e337 R11: ffff88804a3719bb R12: ffff88804a370680
R13: ffff88804a3719b8 R14: ffff888094f5eac8 R15: ffffffff813fa710
kobject: 'loop4' (00000000913b741e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
__put_task_struct+0x20f/0x4c0 kernel/fork.c:689
put_task_struct include/linux/sched/task.h:96 [inline]
delayed_put_task_struct+0x1fb/0x350 kernel/exit.c:181
__rcu_reclaim kernel/rcu/rcu.h:236 [inline]
rcu_do_batch kernel/rcu/tree.c:2584 [inline]
invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline]
__rcu_process_callbacks kernel/rcu/tree.c:2864 [inline]
rcu_process_callbacks+0xba0/0x1a30 kernel/rcu/tree.c:2881
__do_softirq+0x25c/0x921 kernel/softirq.c:292
kobject: 'loop4' (00000000913b741e): kobject_uevent_env
do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1091
</IRQ>
do_softirq.part.0+0x11a/0x170 kernel/softirq.c:336
do_softirq kernel/softirq.c:328 [inline]
__local_bh_enable_ip+0x211/0x270 kernel/softirq.c:189
kobject: 'loop4' (00000000913b741e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
local_bh_enable include/linux/bottom_half.h:32 [inline]
get_next_corpse net/netfilter/nf_conntrack_core.c:1928 [inline]
nf_ct_iterate_cleanup+0x217/0x4e0 net/netfilter/nf_conntrack_core.c:1951
caif:caif_disconnect_client(): nothing to disconnect
nf_ct_iterate_cleanup_net net/netfilter/nf_conntrack_core.c:2036 [inline]
nf_ct_iterate_cleanup_net+0x133/0x190
net/netfilter/nf_conntrack_core.c:2021
masq_device_event+0xe2/0x120
net/ipv4/netfilter/nf_nat_masquerade_ipv4.c:100
notifier_call_chain+0xc2/0x230 kernel/notifier.c:93
__raw_notifier_call_chain kernel/notifier.c:394 [inline]
raw_notifier_call_chain+0x2e/0x40 kernel/notifier.c:401
call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1747
call_netdevice_notifiers net/core/dev.c:1765 [inline]
dev_close_many+0x33f/0x6f0 net/core/dev.c:1517
rollback_registered_many+0x33f/0xda0 net/core/dev.c:7982
kobject: 'loop4' (00000000913b741e): kobject_uevent_env
kobject: 'loop4' (00000000913b741e): fill_kobj_path: path
= '/devices/virtual/block/loop4'
rollback_registered+0x109/0x1d0 net/core/dev.c:8047
unregister_netdevice_queue net/core/dev.c:9096 [inline]
unregister_netdevice_queue+0x1ee/0x2c0 net/core/dev.c:9089
unregister_netdevice include/linux/netdevice.h:2605 [inline]
__tun_detach+0xd8a/0x1040 drivers/net/tun.c:737
tun_detach drivers/net/tun.c:754 [inline]
tun_chr_close+0xe0/0x180 drivers/net/tun.c:3257
__fput+0x2dd/0x8b0 fs/file_table.c:278
____fput+0x16/0x20 fs/file_table.c:309
task_work_run+0x145/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x53d/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4136f1
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48
83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48
89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffcab058f70 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00000000004136f1
RDX: 0000001b30d20000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 0000000000000001 R08: 00000000dec7843d R09: 00000000dec78441
R10: 00007ffcab059050 R11: 0000000000000293 R12: 000000000075bfc8
R13: 00000000001dfbbd R14: 00000000007605d8 R15: 000000000075bfd4
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jan 24, 2020, 12:39:06 PM1/24/20
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages